Apple delivers jumbo security update for Mac OS X

Gregg Keizer |
May 14, 2009

Patches 67 bugs, including two used to hack Macs at Pwn2Own contest

Storms was struck by the contrast between Apple's update and the one that Microsoft unveiled earlier today. "Microsoft, which historically has had the view of producing the less-secure operating system, puts out one bulletin today, with 14 vulnerabilities. And Apple comes out with [an update with] 67 bugs," he noted. "It's a 'I coulda had a V8' moment, where you slap your forehead," Storms continued. "It's like history changed in front of my eyes."

Critical of Apple's security practices in the past, Storms didn't let up today. "Who really knew that OS X was this insecure?" he said. "This has to be a wake-up call for somebody."

He did not, however, hit the quality of Apple's patches. "The quality on both sides is good," he said. "I don't see a difference in quality between the two [Apple and Microsoft]." Instead, he focused on the lack of business-grade management tools and the paucity of information that Apple provides about the bugs and the ensuing patches.

"Macs really still aren't an enterprise tool," he said, "even though Apple's marketing likes to say that they are, and that they're used in enterprises."

Apple last patched its operating system in mid-February 2009, when it fixed 48 vulnerabilities. Today's patch tally was 40% larger, and the biggest since that 90-fix update 14 months ago.

Safari also was patched today. Apple issued separate security updates for Safari 3.0 and the beta of Safari 4.0; both updates patched three vulnerabilities in the Mac and Windows versions of the browser. Mac users can apply the updates separately, but the patches are included in the 67 that make up 2009-002.

The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.5.7 upgrade also released today.